From 0699ba1f500f3e8428ace92346ce6c6d38544812 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Mon, 20 Jan 2025 16:06:14 +0100 Subject: [PATCH] Allow customize http vhost config using HttpdCustomization.CustomConfigSecret This change allows to customize the httpd vhost config using this parameter to specify a secret that contains service config data. The content of each provided snippet gets rendered as a go template and placed into /etc/httpd/conf/httpd_custom__ . At the end of the vhost config in the default httpd template these custom configs get included using `Include conf/httpd_custom__*`. For information on how sections in httpd configuration get merged, check section "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging All possible parameters which can be use in a template can be looked up in the -config-data secret of the service like: $ oc get secret -n openstack barbican-config-data -o json | jq -r .data.TemplateParameters | base64 -d $ oc get secret -n openstack barbicanapi-config-data -o json | jq -r .data.TemplateParameters | base64 -d or in the running pod of the service in the file: $ cat /var/lib/config-data/default/TemplateParameters The content is a versioned dump of the parameters of the service operator, like: ~~~ DatabaseConnection: mysql+pymysql://user:pwd@openstack..svc/keystone?read_default_file=/etc/my.cnf EnableSecureRBAC: true EnabledSecretStores: simple_crypto GlobalDefaultSecretStore: simple_crypto KeystoneAuthURL: http://keystone-internal.openstack.svc:5000 LogFile: /var/log/barbican/barbican-api.log ServicePassword: ServiceUser: barbican SimpleCryptoEnabled: true SimpleCryptoKEK: "" TimeOut: 90 TransportURL: rabbit://rabbitmq-secret/fake VHosts: internal: Override: true ServerName: barbican-internal..svc TLS: false public: Override: true ServerName: barbican-public..svc TLS: false ~~~ Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/591 Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/593 Jira: https://issues.redhat.com/browse/OSPRH-13100 Signed-off-by: Martin Schuppert --- .../barbican.openstack.org_barbicanapis.yaml | 14 +++++ .../barbican.openstack.org_barbicans.yaml | 14 +++++ api/go.mod | 2 +- api/go.sum | 4 +- api/v1beta1/barbicanapi_types.go | 17 ++++++ api/v1beta1/zz_generated.deepcopy.go | 21 +++++++ .../barbican.openstack.org_barbicanapis.yaml | 14 +++++ .../barbican.openstack.org_barbicans.yaml | 14 +++++ controllers/barbican_common.go | 16 ++--- controllers/barbican_controller.go | 20 +++++-- controllers/barbicanapi_controller.go | 42 ++++++++++++- .../barbicankeystonelistener_controller.go | 10 +++- controllers/barbicanworker_controller.go | 10 +++- go.mod | 4 +- go.sum | 4 +- .../config/10-barbican_wsgi_main.conf | 5 ++ .../barbican/config/barbican-api-config.json | 7 +++ tests/functional/barbican_controller_test.go | 60 +++++++++++++++++++ 18 files changed, 256 insertions(+), 22 deletions(-) diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml index 6e38ed9..b6ad0ea 100644 --- a/api/bases/barbican.openstack.org_barbicanapis.yaml +++ b/api/bases/barbican.openstack.org_barbicanapis.yaml @@ -118,6 +118,20 @@ spec: - simple_crypto - pkcs11 type: string + httpdCustomization: + description: HttpdCustomization - customize the httpd service + properties: + customConfigSecret: + description: |- + CustomConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string + type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml index 3de834c..7e25f20 100644 --- a/api/bases/barbican.openstack.org_barbicans.yaml +++ b/api/bases/barbican.openstack.org_barbicans.yaml @@ -91,6 +91,20 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + httpdCustomization: + description: HttpdCustomization - customize the httpd service + properties: + customConfigSecret: + description: |- + CustomConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string + type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/api/go.mod b/api/go.mod index 37a1238..33e2492 100644 --- a/api/go.mod +++ b/api/go.mod @@ -5,7 +5,7 @@ go 1.21 require ( github.com/onsi/ginkgo/v2 v2.20.1 github.com/onsi/gomega v1.34.1 - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 k8s.io/api v0.29.10 k8s.io/apimachinery v0.29.10 k8s.io/client-go v0.29.10 diff --git a/api/go.sum b/api/go.sum index 530b786..43ee5ef 100644 --- a/api/go.sum +++ b/api/go.sum @@ -72,8 +72,8 @@ github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 h1:vXHpH93PjbAgg5ZN6n5WmxkybVQOs0nhXvVw62o7aZs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= diff --git a/api/v1beta1/barbicanapi_types.go b/api/v1beta1/barbicanapi_types.go index 9adba87..88b529b 100644 --- a/api/v1beta1/barbicanapi_types.go +++ b/api/v1beta1/barbicanapi_types.go @@ -53,6 +53,10 @@ type BarbicanAPITemplateCore struct { // +kubebuilder:validation:Optional // APITimeout for HAProxy and Apache defaults to Barbican APITimeout (seconds) APITimeout int `json:"apiTimeout"` + + // +kubebuilder:validation:Optional + // HttpdCustomization - customize the httpd service + HttpdCustomization HttpdCustomization `json:"httpdCustomization,omitempty"` } // APIOverrideSpec to override the generated manifest of several child resources. @@ -62,6 +66,19 @@ type APIOverrideSpec struct { Service map[service.Endpoint]service.RoutedOverrideSpec `json:"service,omitempty"` } +// HttpdCustomization - customize the httpd service +type HttpdCustomization struct { + // +kubebuilder:validation:Optional + // CustomConfigSecret - customize the httpd vhost config using this parameter to specify + // a secret that contains service config data. The content of each provided snippet gets + // rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + // In the default httpd template at the end of the vhost those custom configs get + // included using `Include conf/httpd_custom__*`. + // For information on how sections in httpd configuration get merged, check section + // "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + CustomConfigSecret *string `json:"customConfigSecret,omitempty"` +} + // BarbicanAPISpec defines the desired state of BarbicanAPI type BarbicanAPISpec struct { BarbicanTemplate `json:",inline"` diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 60e7571..a9c94a6 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -225,6 +225,7 @@ func (in *BarbicanAPITemplateCore) DeepCopyInto(out *BarbicanAPITemplateCore) { in.BarbicanComponentTemplate.DeepCopyInto(&out.BarbicanComponentTemplate) in.Override.DeepCopyInto(&out.Override) in.TLS.DeepCopyInto(&out.TLS) + in.HttpdCustomization.DeepCopyInto(&out.HttpdCustomization) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanAPITemplateCore. @@ -783,6 +784,26 @@ func (in *BarbicanWorkerTemplateCore) DeepCopy() *BarbicanWorkerTemplateCore { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HttpdCustomization) DeepCopyInto(out *HttpdCustomization) { + *out = *in + if in.CustomConfigSecret != nil { + in, out := &in.CustomConfigSecret, &out.CustomConfigSecret + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HttpdCustomization. +func (in *HttpdCustomization) DeepCopy() *HttpdCustomization { + if in == nil { + return nil + } + out := new(HttpdCustomization) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PasswordSelector) DeepCopyInto(out *PasswordSelector) { *out = *in diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml index 6e38ed9..b6ad0ea 100644 --- a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml @@ -118,6 +118,20 @@ spec: - simple_crypto - pkcs11 type: string + httpdCustomization: + description: HttpdCustomization - customize the httpd service + properties: + customConfigSecret: + description: |- + CustomConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string + type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml index 3de834c..7e25f20 100644 --- a/config/crd/bases/barbican.openstack.org_barbicans.yaml +++ b/config/crd/bases/barbican.openstack.org_barbicans.yaml @@ -91,6 +91,20 @@ spec: description: EnableSecureRBAC - Enable Consistent and Secure RBAC policies type: boolean + httpdCustomization: + description: HttpdCustomization - customize the httpd service + properties: + customConfigSecret: + description: |- + CustomConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string + type: object networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go index c424787..3fffc0f 100644 --- a/controllers/barbican_common.go +++ b/controllers/barbican_common.go @@ -41,18 +41,20 @@ func GenerateConfigsGeneric( customData map[string]string, cmLabels map[string]string, scripts bool, + customTemplates map[string]string, ) error { cms := []util.Template{ // Templates where the BarbicanAPI config is stored { - Name: fmt.Sprintf("%s-config-data", instance.GetName()), - Namespace: instance.GetNamespace(), - Type: util.TemplateTypeConfig, - InstanceType: instance.GetObjectKind().GroupVersionKind().Kind, - ConfigOptions: templateParameters, - CustomData: customData, - Labels: cmLabels, + Name: fmt.Sprintf("%s-config-data", instance.GetName()), + Namespace: instance.GetNamespace(), + Type: util.TemplateTypeConfig, + InstanceType: instance.GetObjectKind().GroupVersionKind().Kind, + ConfigOptions: templateParameters, + CustomData: customData, + Labels: cmLabels, + StringTemplate: customTemplates, }, } if scripts { diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go index afdbb1a..9dc8978 100644 --- a/controllers/barbican_controller.go +++ b/controllers/barbican_controller.go @@ -22,6 +22,7 @@ import ( "slices" "time" + "gopkg.in/yaml.v2" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes" @@ -555,10 +556,11 @@ func (r *BarbicanReconciler) reconcileDelete(ctx context.Context, instance *barb // fields to index to reconcile when change const ( - passwordSecretField = ".spec.secret" - caBundleSecretNameField = ".spec.tls.caBundleSecretName" - tlsAPIInternalField = ".spec.tls.api.internal.secretName" - tlsAPIPublicField = ".spec.tls.api.public.secretName" + passwordSecretField = ".spec.secret" + caBundleSecretNameField = ".spec.tls.caBundleSecretName" + tlsAPIInternalField = ".spec.tls.api.internal.secretName" + tlsAPIPublicField = ".spec.tls.api.public.secretName" + httpdCustomServiceConfigSecretField = ".spec.httpdCustomization.customServiceConfigSecret" ) var ( @@ -571,6 +573,7 @@ var ( caBundleSecretNameField, tlsAPIInternalField, tlsAPIPublicField, + httpdCustomServiceConfigSecretField, } ) @@ -678,7 +681,14 @@ func (r *BarbicanReconciler) generateServiceConfig( maps.Copy(templateParameters, pkcs11TemplateMap) } - return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true) + // Marshal the templateParameters map to YAML + yamlData, err := yaml.Marshal(templateParameters) + if err != nil { + return fmt.Errorf("Error marshalling to YAML: %w", err) + } + customData[common.TemplateParameters] = string(yamlData) + + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true, map[string]string{}) } func (r *BarbicanReconciler) transportURLCreateOrUpdate( diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go index 30b4be8..e0453d6 100644 --- a/controllers/barbicanapi_controller.go +++ b/controllers/barbicanapi_controller.go @@ -42,6 +42,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "github.com/openstack-k8s-operators/lib-common/modules/common/util" mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" + "gopkg.in/yaml.v2" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" @@ -348,7 +349,16 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( maps.Copy(templateParameters, pkcs11TemplateMap) } + httpdOverrideSecret := &corev1.Secret{} + if instance.Spec.HttpdCustomization.CustomConfigSecret != nil && *instance.Spec.HttpdCustomization.CustomConfigSecret != "" { + httpdOverrideSecret, _, err = secret.GetSecret(ctx, h, *instance.Spec.HttpdCustomization.CustomConfigSecret, instance.Namespace) + if err != nil { + return err + } + } + // create httpd vhost template parameters + customTemplates := map[string]string{} httpdVhostConfig := map[string]interface{}{} for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} { endptConfig := map[string]interface{}{} @@ -359,12 +369,29 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs( endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String()) endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String()) } + + endptConfig["Override"] = false + if len(httpdOverrideSecret.Data) > 0 { + endptConfig["Override"] = true + for key, data := range httpdOverrideSecret.Data { + if len(data) > 0 { + customTemplates["httpd_custom_"+endpt.String()+"_"+key] = string(data) + } + } + } httpdVhostConfig[endpt.String()] = endptConfig } templateParameters["VHosts"] = httpdVhostConfig templateParameters["TimeOut"] = instance.Spec.APITimeout - return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) + // Marshal the templateParameters map to YAML + yamlData, err := yaml.Marshal(templateParameters) + if err != nil { + return fmt.Errorf("Error marshalling to YAML: %w", err) + } + customData[common.TemplateParameters] = string(yamlData) + + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false, customTemplates) } func (r *BarbicanAPIReconciler) reconcileInit( @@ -907,6 +934,19 @@ func (r *BarbicanAPIReconciler) SetupWithManager(mgr ctrl.Manager) error { }); err != nil { return err } + + // index httpdOverrideSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &barbicanv1beta1.BarbicanAPI{}, httpdCustomServiceConfigSecretField, func(rawObj client.Object) []string { + // Extract the secret name from the spec, if one is provided + cr := rawObj.(*barbicanv1beta1.BarbicanAPI) + if cr.Spec.HttpdCustomization.CustomConfigSecret == nil { + return nil + } + return []string{*cr.Spec.HttpdCustomization.CustomConfigSecret} + }); err != nil { + return err + } + return ctrl.NewControllerManagedBy(mgr). For(&barbicanv1beta1.BarbicanAPI{}). Owns(&corev1.Service{}). diff --git a/controllers/barbicankeystonelistener_controller.go b/controllers/barbicankeystonelistener_controller.go index 33e11a4..4d3eac3 100644 --- a/controllers/barbicankeystonelistener_controller.go +++ b/controllers/barbicankeystonelistener_controller.go @@ -27,6 +27,7 @@ import ( "github.com/openstack-k8s-operators/barbican-operator/pkg/barbican" "github.com/openstack-k8s-operators/barbican-operator/pkg/barbicankeystonelistener" mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" + "gopkg.in/yaml.v2" // keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" "github.com/openstack-k8s-operators/lib-common/modules/common" @@ -296,7 +297,14 @@ func (r *BarbicanKeystoneListenerReconciler) generateServiceConfigs( "LogFile": fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name), } - return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) + // Marshal the templateParameters map to YAML + yamlData, err := yaml.Marshal(templateParameters) + if err != nil { + return fmt.Errorf("Error marshalling to YAML: %w", err) + } + customData[common.TemplateParameters] = string(yamlData) + + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false, map[string]string{}) } func (r *BarbicanKeystoneListenerReconciler) reconcileInit( diff --git a/controllers/barbicanworker_controller.go b/controllers/barbicanworker_controller.go index ef85091..e33181b 100644 --- a/controllers/barbicanworker_controller.go +++ b/controllers/barbicanworker_controller.go @@ -29,6 +29,7 @@ import ( "github.com/openstack-k8s-operators/barbican-operator/pkg/barbican" "github.com/openstack-k8s-operators/barbican-operator/pkg/barbicanworker" mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" + "gopkg.in/yaml.v2" "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/condition" @@ -300,7 +301,14 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs( maps.Copy(templateParameters, pkcs11TemplateMap) } - return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false) + // Marshal the templateParameters map to YAML + yamlData, err := yaml.Marshal(templateParameters) + if err != nil { + return fmt.Errorf("Error marshalling to YAML: %w", err) + } + customData[common.TemplateParameters] = string(yamlData) + + return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false, map[string]string{}) } func (r *BarbicanWorkerReconciler) reconcileInit( diff --git a/go.mod b/go.mod index b556a46..9975e71 100644 --- a/go.mod +++ b/go.mod @@ -11,12 +11,13 @@ require ( github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-00010101000000-000000000000 github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-18e54a028c8b github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12 - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.29.10 k8s.io/apimachinery v0.29.10 k8s.io/client-go v0.29.10 @@ -72,7 +73,6 @@ require ( google.golang.org/appengine v1.6.8 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.29.10 // indirect k8s.io/component-base v0.29.10 // indirect diff --git a/go.sum b/go.sum index 8a86450..3249e57 100644 --- a/go.sum +++ b/go.sum @@ -82,8 +82,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-1 github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-18e54a028c8b/go.mod h1:SSYBbFbgQbOwyY2cQNet7fSdQHHPb2rLo6GXE97Awp8= github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12 h1:37tN4oVifWqkerafFrx3DFDDTOOzn2H+c67WIQ1Vkss= github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12/go.mod h1:AZhHY6dZzGyG9iVOf1poD7pTS9c7ZG/f99Fg+GdFVEk= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 h1:vXHpH93PjbAgg5ZN6n5WmxkybVQOs0nhXvVw62o7aZs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e h1:HFo4OqPY0x4ZQeaWI2YGonTXAGTQFt+rOEJlfZVhS7s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:IASoGvp5QM/tBJUd/8i8uIjj4DBnI+64Ydh4r7pmnvA= github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241216113837-d172b3ac0f4e h1:Qz0JFEoRDUyjEWorNY3LggwxTsmpMtQkcpmZDQulGHQ= diff --git a/templates/barbican/config/10-barbican_wsgi_main.conf b/templates/barbican/config/10-barbican_wsgi_main.conf index 7210664..c191885 100644 --- a/templates/barbican/config/10-barbican_wsgi_main.conf +++ b/templates/barbican/config/10-barbican_wsgi_main.conf @@ -35,6 +35,11 @@ WSGIDaemonProcess {{ $endpt }} display-name={{ $endpt }} group=barbican processes=8 threads=1 user=barbican WSGIProcessGroup {{ $endpt }} WSGIScriptAlias / "/var/www/cgi-bin/barbican/main" + +{{- if $vhost.Override }} + Include conf/httpd_custom_{{ $endpt }}_* +{{- end }} + {{ end }} {{ end }} diff --git a/templates/barbican/config/barbican-api-config.json b/templates/barbican/config/barbican-api-config.json index 1d24f3f..3d7ded1 100644 --- a/templates/barbican/config/barbican-api-config.json +++ b/templates/barbican/config/barbican-api-config.json @@ -85,6 +85,13 @@ "perm": "0600", "optional": true, "merge": true + }, + { + "source": "/var/lib/config-data/default/httpd_custom_*", + "dest": "/etc/httpd/conf/", + "owner": "apache", + "perm": "0444", + "optional": true } ], "permissions": [ diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index 333a62b..c75b55a 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -14,6 +14,7 @@ import ( barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" controllers "github.com/openstack-k8s-operators/barbican-operator/controllers" "github.com/openstack-k8s-operators/barbican-operator/pkg/barbican" + "github.com/openstack-k8s-operators/lib-common/modules/common" condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" mariadb_test "github.com/openstack-k8s-operators/mariadb-operator/api/test/helpers" corev1 "k8s.io/api/core/v1" @@ -432,6 +433,65 @@ var _ = Describe("Barbican controller", func() { }) }) + When("A BarbicanAPI is created with HttpdCustomization.CustomConfigSecret", func() { + BeforeEach(func() { + customServiceConfigSecretName := types.NamespacedName{Name: "foo", Namespace: barbicanTest.Instance.Namespace} + customConfig := []byte(`CustomParam "foo" +CustomKeystoneAuthURL "{{ .KeystoneAuthURL }}"`) + th.CreateSecret( + customServiceConfigSecretName, + map[string][]byte{ + "bar.conf": customConfig, + }, + ) + spec := GetDefaultBarbicanSpec() + apiSpec := GetDefaultBarbicanAPISpec() + apiSpec["httpdCustomization"] = map[string]interface{}{ + "customConfigSecret": customServiceConfigSecretName.Name, + } + spec["barbicanAPI"] = apiSpec + DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, "rabbitmq-secret")) + DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, spec)) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName)) + + DeferCleanup( + k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, "test-osp-secret-barbican")) + + DeferCleanup( + mariadb.DeleteDBService, + mariadb.CreateDBService( + barbicanTest.Instance.Namespace, + GetBarbican(barbicanTest.Instance).Spec.DatabaseInstance, + corev1.ServiceSpec{ + Ports: []corev1.ServicePort{{Port: 3306}}, + }, + ), + ) + infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) + DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) + mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) + mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + th.SimulateJobSuccess(barbicanTest.BarbicanDBSync) + }) + + It("it renders the custom template and adds it to the barbicanapi-config-data secret", func() { + scrt := th.GetSecret(barbicanTest.BarbicanAPIConfigSecret) + Expect(scrt).ShouldNot(BeNil()) + Expect(scrt.Data).Should(HaveKey(common.TemplateParameters)) + configData := string(scrt.Data[common.TemplateParameters]) + keystoneAuthURL := "http://keystone-internal.openstack.svc:5000" + + Expect(configData).Should(ContainSubstring(fmt.Sprintf("KeystoneAuthURL: %s", keystoneAuthURL))) + + for _, cfg := range []string{"httpd_custom_internal_bar.conf", "httpd_custom_public_bar.conf"} { + Expect(scrt.Data).Should(HaveKey(cfg)) + configData := string(scrt.Data[cfg]) + Expect(configData).Should(ContainSubstring("CustomParam \"foo\"")) + Expect(configData).Should(ContainSubstring(fmt.Sprintf("CustomKeystoneAuthURL \"%s\"", keystoneAuthURL))) + } + }) + }) + When("A Barbican with HSM is created", func() { BeforeEach(func() { DeferCleanup(k8sClient.Delete, ctx, CreateHSMLoginSecret(barbicanTest.Instance.Namespace, HSMLoginSecret))